Security Experts On PCI DSS 4.0 Released

Following the news that – The PCI Council has released the latest update to the PCI Data Security Standard today (March 31). https://www.pcisecuritystandards.org/about_us/press_releases/pr_03312022

Experts Comments

April 01, 2022
Tim Erlin
VP of Product Management and Strategy
Tripwire

The PCI DSS is a standard with tenure in the industry, with the first version being introduced in 2004. The PCI DSS was unique when introduced because of its prescriptive nature and its focus on protecting cardholder data. Cybersecurity is a changing landscape, and prescriptive standards have to be updated to address those changes. The last update to the PCI DSS was in 2018, and the world has certainly changed since then.

The v4.0 updates to the standard don’t immediately come into effect for

.....Read More

The PCI DSS is a standard with tenure in the industry, with the first version being introduced in 2004. The PCI DSS was unique when introduced because of its prescriptive nature and its focus on protecting cardholder data. Cybersecurity is a changing landscape, and prescriptive standards have to be updated to address those changes. The last update to the PCI DSS was in 2018, and the world has certainly changed since then.

The v4.0 updates to the standard don’t immediately come into effect for all organizations. The PCI Council future-dates many of the new requirements out to 2025, labeling them as best practices until then. While this transition period provides organizations with time to adapt to new requirements, it also leaves room for greater risk through that transition period. Determining the appropriate implementation time frame for new compliance requirements is a balancing act that simply can’t make every stakeholder happy. It would be ideal if most organizations moved to the best practices before they’re required.

Any additional emphasis on securely configuring systems is a welcome addition to cybersecurity best practices. While the previous version of the PCI DSS addressed secure configuration, it unfortunately focused on changing vendor-supplied default passwords. Secure configuration management goes well beyond vendor-supplied passwords, and it’s great to see the new version of the standard take a more expansive approach to the requirement.

Zero Trust Architecture has grown in adoption since the previous version of the PCI DSS was released in 2018. The new version of the standard makes room for Zero Trust approaches to authentication and authorization with allowances for “dynamically analyzed” security posture as a mechanism for providing “real-time access to resources” as an alternative to rotating passwords. Keeping up to date with best practices in cybersecurity is important in order to avoid organizations downgrading security in order to maintain compliance.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.